Inter-Frame-Relationship Protected Signal: A New Design for Radio Frequency Fingerprint Authentication

Utilizing a multi-frame signal (MFS) rather than a single-frame signal (SFS) for radio frequency fingerprint authentication (RFFA) shows the advantage of higher accuracy. However, previous studies have often overlooked the associated security threats in MFS-based RFFA. In this paper, we focus on the carrier-sense multiple access with collision avoidance channel and identify a potential security threat, in that an attacker may inject a forged frame into valid traffic, making it more likely to be accepted alongside legitimate frames. To counter such a security threat, we propose an innovative design called the inter-frame-relationship protected signal (IfrPS), which enables the receiver to determine whether two consecutively received frames originate from the same transmitter to safeguard the MFS-based RFFA. To demonstrate the applicability of our proposition, we analyze and numerically evaluate two important properties: its impact on message demodulation and the accuracy gain in IfrPS-aided, MFS-based RFFA compared with the SFS-based RFFA. Our results show that the proposed scheme has a minimal impact of only −0.5 dB on message demodulation, while achieving up to 5 dB gain for RFFA accuracy.


Introduction
Radio frequency fingerprint authentication (RFFA) is a novel approach that leverages the inherent randomness of radio frequency hardware imperfections to authenticate transmitters. These hardware imperfections, including carrier frequency offset (CFO) [1], inphase/quadrature (I/Q) imbalance [2], and I/Q origin offset [3], possess inherent, unique, and non-reproducible properties. Thus, they can be used for identity authentication without the need for traditional credentials such as tokens or digital signatures. As a result, RFFA has emerged as a prominent technology for identity authentication in future wireless networks [4][5][6].
Although RFFA has been extensively studied over the past few decades, achieving high accuracy remains a significant challenge. To address this issue, many researchers have devoted themselves to two approaches. The first approach is to explore potential hand-crafted features according to underlying hardware imperfections. For instance, the authors in [7] first proposed five features, and the authors in [6] proposed a new feature called fractal dimension that can be used for RFFA. The second approach is to utilize machine learning techniques to automatically extract and apply the features for RFFA. For example, the authors in [8] proposed a machine learning-based method to dynamically determine the feature decision threshold in RFFA, and the authors in [9] proposed an incremental learning method to continuously realize the feature extraction. The complicated computation involved in the second approach has also been of concern; for example, the authors in [10] proposed a transfer learning method to reduce the computation To provide an MFS-based RFFA scheme overriding the above security threat, we propose an innovative design called the inter-frame-relationship protected signal (IfrPS). The core concept of IfrPS is to bind each pair of consecutively transmitted frames' signal with unique information, which can be used by the receiver to determine whether two consecutively received frames originate from the same transmitter. Meanwhile, frames that do not conform to the inter-frame relationship are excluded from the MFS-based RFFA process. Note that the unique information is randomly generated for each pair of consecutively transmitted frames and, thus, it cannot be forged by the attacker. Note that the proposed IfrPS-aided, MFS-based RFFA is applicable to these CSMA/CA communication systems, such as IEEE 802.15.4 and IEEE 802.11, in which a security level is required.
To demonstrate the applicability of our proposition, we considered two properties: efficiency and effectiveness. Efficiency evaluates the impact of IfrPS on message communication, while effectiveness quantifies the accuracy improvement achieved by IfrPS-aided, MFS-based RFFA compared to an SFS-based one. The main contributions of this paper are summarized as follows: 1.
This study is the first to identify a security threat associated with MFS-based RFFA.
In the CSMA/CA scenario, an attacker can inject forged frames into legitimate traffic. The MFS-based RFFA would be compromised when such an injection is not detected. We further substantiate this security threat through a Proof-of-Concept experiment; 2.
To address this security threat and provide a robust MFS-based RFFA scheme, we propose the IfrPS design. The designed IfrPS can be integrated into the MFS-based RFFA to enable the receiver to detect injected frames within valid traffic. Moreover, IfrPS requires no pre-shared key between the transceiver and is compatible with old receivers because it does not need to authenticate the transmitter; 3.
We analyze the potential impact of the IfrPS design on message demodulation for different constellations, including BPSK, QPSK, and 16QAM. Theoretical analysis and numerical evaluations demonstrate that the IfrPS design causes minimal degradation to message demodulation, with approximately −0.5 dB observed for the BPSK modulation system; 4.
To quantify the accuracy improvement in the IfrPS-aided, MFS-based RFFA compared with the SFS-based one, we conducted a case study using CFO as the authentication feature. Through theoretical analysis and numerical evaluations, we assessed the false reject ratio (FRR) at different false accept ratio (FAR) levels. The results indicate that the proposed approach can achieve up to 5 dB gain compared to the SFS-based RFFA.
The remainder of this paper is organized as follows. Related work is introduced in Section 2. Section 3 presents the system model and security threat. In Section 4, we present the designed IfrPS and the IfrPS-aided, MFS-based RFFA scheme. In Section 5, we study the efficiency of the IfrPS design, and, in Section 6, we study the effectiveness of the IfrPS-aided, MFS-based RFFA. This paper is concluded in Section 7.
The abbreviations used in this paper are summarized in Table 1.  Table 2, there are two approaches in RFFA research. To the best of our knowledge, [7] is the first approach for exploiting hardware imperfections to serve as the wireless device identity for RFFA. The work in [7] adopted five features (i.e., frequency error, synchronization correlation, I/Q origin offset, magnitude error, and phase error) extracted from IEEE 802.11 frame signal to distinguish different NICs. The experiment results from an indoor wireless test-bed environment demonstrated that PARADIS could differentiate more than 130 NICs with an accuracy greater than 99%. Additionally, the authors in [12] exploited the non-linearity characteristic in the digital-to-analogue converter for device authentication and reported an authentication accuracy of 60% in their simulation with 100 devices and a signal-to-noise ratio (SNR) of 30 dB. The CFO was studied in [9] to distinguish 30 Xbee devices, and the experimental results reported an authentication accuracy of 95%. In addition, I/Q imbalance was investigated in [13] to distinguish four Zigbee devices, and an authentication accuracy of 100% was reported. In recent years, the authors in [5] explored a new feature, named visibility graph, of wireless signals and experimentally demonstrated that it could enhance the RFFA accuracy by being involved with the five features proposed in [7]. Furthermore, the authors in [6] proposed a new feature, named fractal dimension, of wireless signals and also theoretically analyzed and experimentally evaluated its effectiveness in RFFA. It can be seen from the literature that exploring new features has been an appealing research field to enhance the RFFA accuracy. Except for the above hand-draft feature-based RFFA, there is also another approach that utilizes the deep learning technique to automatically extract the "deep" fingerprint. In such an approach, the authors in [14] explored the device imperfections of controller area networks and found that, by applying the deep learning technique, the achieved RFFA accuracy increased from 92% to 96%. Moreover, the authors in [15,16] adopted convolutional neural networks to reduce the training complexity in RFFA and reported that the computation resources can be greatly reduced by using the CNN without affecting the accuracy. Towards this direction, the authors in [17] proposed to combine the signal samples from different receivers, which can reduce the required complexity in the neural networks, since it can obtain a benefit to accuracy from the data augmentation. Table 2. Classification of researches on RFFA.

Traffic Anomaly Detection
Our considered security threat in MFS-based RFFA arises from the fact that an attacker may inject one forged frame into valid traffic, which compromises the MFS-based RFFA if such injected is not detected. Note that such an injection causes a traffic anomaly, and there exist two types of solutions in the literature for traffic anomaly detection, as listed in Table 3. Table 3. Classification of research on traffic anomaly detection.

Class Description Reference
Detection-based Detect the appearance of anomalous traffic [18][19][20][21][22][23] Prevention-based Detect the injected frame for discarding [24,25] The first type of solution is detection-based, which aims to detect the appearance of anomalous traffic. The basic idea is to utilize the well-defined relationship between different frames: once a forged frame is injected, the relationship is corrupted and, thus, can be detected. The most widely studied inter-frame relationship is the sequence number [18,19]. Sequence number is a 16-bit sequence control field starting at 0, which is then incremented by one for each non-fragmented frame. Thus, a forged frame signal causes non-continuity of the sequence number (here, it is assumed that an attacker cannot prevent the communication between a valid transceiver pair). However, the sequence number is easy to predict and forge by the attacker using soft wireless card or by techniques proposed in [20]; in addition, the sequence number is not available for control and management frames. Except for the sequence number, the relationships, including received signal strength [21], arrival time [22], and channel response [23], are also studied in previous research. Although these anomaly detection techniques can provide lightweight detection of traffic anomaly, they cannot guarantee normal communication when such attacks occur. In other words, the receiver can only know the presence of a traffic anomaly but cannot locate the injected frame(s).
The second type of solution is prevention-based, which aims to detect the injected frame and then discard it to guarantee normal communication, even when the attack occurs. The most commonly utilized prevention-based solutions include the digital signature [24] and hash message authentication code (HMAC) [25]. The basic idea is that attackers do not know the key and, thus, cannot generate the correct digital signature or HAMC. However, such prevention-based solutions usually require pre-shared key between the transceiver. Accordingly, for scenarios where establishing the pre-shared key between the transceiver is too difficult or unavailable, we do not follow the prevention-based solutions in this paper.

Preliminary Knowledge to CSMA/CA
In the CSMA/CA protocol, following Section 5.1.4 in [26], devices initially synchronize with the network coordinator using beacon signals. A general transmission mechanism through a multiple-access channel was introduced in [26] as follows. When a device wants to transmit data, it senses the channel to check for ongoing activity. If the channel is busy, it continues sensing until the channel becomes idle in the next time slot. Next, the device waits for a short additional period called the distributed inter-frame spacing (DIFS), prioritizing frames with higher priority, such as real-time or urgent data. Once the DIFS expires and the channel remains idle, the device generates a random Backoff interval before transmitting. This random Backoff mechanism prevents multiple devices from transmitting simultaneously, thus avoiding collisions. For each time slot, the Backoff time counter is decremented by 1 as long as the channel is sensed idle, stopped when a transmission is detected on the channel, and reactivated when the channel is sensed idle again for more than a DIFS. When the Backoff time counter reaches zero and the channel is still idle, the device begins data transmission. Following this protocol ensures efficient communication among devices, reducing collision risks and optimizing data transfer within the network.

System Model
We consider the communication model depicted in Figure 2, where Alice and Carol act as transmitters, while Bob acts as the receiver. In this model, both Alice and Carol utilize the CSMA/CA protocol to access the channel. Bob responds with an ACK frame when he has successfully received a frame. Additionally present in the communication model is an impersonation attacker named Eve. Eve possesses knowledge about Alice, including her MAC address, IP address, and communication protocol. Eve's objective is to transmit forged frames by impersonating Alice, with the intention of pursuing invalid interests. To prevent the impersonation attack, when Bob has received M (M > 1) frames claimed to be from Alice, Bob employs the MFS-based RFFA to determine whether the received M frames originate from Alice or Eve. We denote the M received frames signal by a matrix Y = [y 1 , y 2 , . . . , y M ], where each element correspond to a frame signal. Bob first estimates the desired feature, denoted byf m(1 m M) ∈ R n , from each received frame signal y m . The M feature estimates constitute a feature estimate vectorf = f 1 ,f 2 , . . . ,f M T . Furthermore, we consider that Bob knows a reference feature of Alice, denoted as f . The MFS-based RFFA scheme can be formulated as the following binary hypothesis test: where α = [α 1 , α 2 , . . . , α n ] represents the weight of different feature estimates, and δ represents the decision threshold. If H 0 is accepted, it implies that the received multi-frame signal Y originates from Alice. Conversely, if H 1 is accepted, it indicates that the received multi-frame signal Y originates from Eve, thus implying an impersonation attack.

Security Threat
In CSMA/CA, Eve can inject a forged frame into valid traffic by modifying its Backoff time. As shown in Figure 3, Eve can arbitrarily activate injection by setting the Backoff time to zero, or deactivate injection by setting the Backoff time to the maximum value. This strategic control allows Eve to manipulate the channel access and, thus, the forged frame injection opportunity and ratio in valid traffic. As a result, the forged frame is blended with legitimate frames in the MFS-based RFFA.  To demonstrate the impact of the aforementioned forged frame injection on the MFSbased RFFA, we conducted a Proof-of-Concept experiment to measure the averaged feature estimate with multiple frames in the presence and absence of the aforementioned injection. For this purpose, we first developed a frame signal collection platform, as shown in Figure 4, in which we utilized a universal software radio peripheral (USRP) as the receiver to collect frames signal by setting the Network Interface Card (NIC) as the transmitter. Next, 10 4 frame signals from two NICs, which represent Alice and Eve, were alternately sampled. We estimated, normalized, and recorded the CFO for each collected frame. Subsequently, we combined these CFO estimates to form a group of M samples comprising M e elements randomly originating from Eve and the remaining M − M e elements randomly originating from Alice. We then calculated the average CFO estimate for each group type by setting α = [1, 1, . . .  To analyze the statistical distribution in the averaged CFO estimate, we set M = 10, and M e varied from 0 to 10 to form 11 group classes. For each group class, we generated 10 3 samples, calculated the corresponding averaged CFO estimate of each sample, and used box plots, as illustrated in Figure 5, to represent the statistical characteristics of the averaged CFO estimate. The results in Figure 5 show that the averaged CFO estimate for classes M e = 0 and M e = 10 (green and red) exhibited the largest distinction, indicating that, if we can ensure all of the 10 frames originate from the same transmitter, the MFS-based RFFA can achieve the highest accuracy. However, as M e decreased from nine to one, the distribution of the averaged CFO estimate gradually became more and more similar to that of M e = 0. In particular, when M e = 1, more than half of the averaged CFO estimate overlapped with that of M e = 0. This suggests that, when Eve injects only one forged frame into valid traffic, the forged frame is much more likely to be accepted by the MFS-based RFFA. Overall, the results presented in Figure 5 demonstrate the severity of the identified injection attack in the MFS-based RFFA.

IfrPS Design and IfrPS-Aided, MFS-Based RFFA Scheme
In this section, we propose the IfrPS design and the IfrPS-aided, MFS-based RFFA scheme. At the end, we give a brief discussion of the security properties of our propositions.

IfrPS Design
The rationale behind the designed IfrPS is to associate each transmitted frame with unique information that cannot be forged by attackers. To this end, the transmitter attaches an HMAC to each transmitted frame signal and then discloses the key in the next transmitted frame signal (see the flow diagram of the IfrPS design illustrated in Figure 6). To elaborate further, we summarize the IfrPS design in three key steps. First, we generate the unique information that needs to be attached in each transmitted frame signal. Let us denote the message data of the m-th frame by D m , where m is interpreted as the frame index. It is worth noting that the re-transmitted frame is considered to have the same index m. Then, we can denote the unique information of the m-th frame by I K m , I C m . Here, I K m satisfies and I C m is obtained by where H(·) represents the hash function. Note that, for each value of m, the transmitter randomly generates I K m , and I K m+j and I K m+j are independent of each other when i = j. Based on the above, the receiver can detect whether two received frames, with signals y m−1 and y m , originate from the same transmitter by calculating whether the demodulated unique information and message satisfy Equation (2).
Second, we convert the unique information I K m , I C m into symbols before attaching it to the transmitted frame signal, as shown in Figure 6. Since the bit sizes of I K m and I C m are, at most, 128, which is a number less than the frame length in most applications, we spread the unique information I K m , I C m to match the frame length. To this end, we use the spreading code, denoted by s = s 1 , s 2 , . . . , s N/N I , with each element as aj or −aj (j is the complex symbol), where N represents the frame length and N I represents the bit size of I K m and I C m . To simplify the description, we assume that N is a multiple of N I . Let us denote the converted symbols I K m and I C m by t K m and t C m , respectively. t K m and t C m are given by where "|" and "mod" are the symbols for division and modulus, respectively. Third, we attach the converted BPSK symbols of I K m , I C m into the modulated frame symbols. Let us denote the m-th frame without unique information being attached by d m = [d m,1 , d m,2 , . . . , d m,N ], and its version with unique information being attached by x m .
Here, x m is given by where ρ d and ρ t represent the power allocation for the message and unique information, respectively. Due to power constraint, we have ρ 2 d + ρ 2 t = 1. To provide readers with a clearer understanding of the attaching method, we also present, in Figure 7, an illustrative example of the message being modulated with BPSK.

IfrPS-Aided, MFS-Based RFFA Scheme
Considering that the transmitter has sequential frames for transmission, denoted by X = [x 1 , x 2 , x 3 , . . .], and taking into account the retransmission mechanism at the MAC layer, we assume that all these frames can be successfully received and demodulated by the receiver, denoted by Y = [y 1 , y 2 , y 3 , . . .]. However, each of the received frames may be forged and injected. In the IfrPS-aided, MFS-based RFFA scheme, the receiver needs to select the frames in Y that originate from the same transmitter as the first frame y 1 and construct a selected frames set denoted as Y s . The receiver then inputs Y s into Equation (1) to obtain the authentication result of the first frame y 1 . Similarly, for authenticating y m , the receiver selects frames from Y − {y 1 , . . . , y m−1 } and constructs the corresponding Y s . We summarize the procedure for leveraging the property of IfrPS to obtain Y s for the authentication of y 1 by using an M-frame signal as follows. This method can be extended to the authentication of other frames. Y s is initialized as Y s = {y 1 }. Frames in Y are, in turn, examined to be appended to Y s or not. We use y 1 and y 2 as an example to explain how to examine the IfrPS relationship between two consecutively frames. Note that each entry of y 1 and y 2 is given by y m,n = h m,n · x m,n + w m,n , m ∈ {1, 2} where h m,n ∼ N 0, 1 2 represents the channel fading, and w m,n ∼ N 0, σ 2 w represents the Gaussian noise. We assume block fading, so h m,n remains constant for the same value of m and varies independently across different values of m. Similarly, w m,n varies independently across different values of m and n. To extract the unique information attached in y m , the receiver first equalizes y m and demodulates the message d m . Then, it demodulates the unique information usingt where we assume accurate estimation of h m and decoding of d m . Based on the obtainedt m from Equation (7), the receiver can obtain the unique information through BPSK demodulation and de-spreading. LetÎ C m andÎ K m represent the estimated HMAC and key, respectively. The receiver can determine whether y 1 and y 2 originate from the same transmitter using the following binary hypothesis test: where D represents the code distance. If H 0 is accepted, the receiver appends y 2 to Y s ; otherwise, y 2 is not appended to Y s . The receiver iteratively examines the last element in Y s and the first element in Y − Y s , until either the size of Y s is M or the pair of frames to be examined has already been examined. Remarks: In our proposed IfrPS-aided, MFS-based RFFA scheme, we focus on authenticating the first frame y 1 . This differs from previous MFS-based RFFA schemes where the authentication result is used for all frame signals. This is because we cannot ensure whether the previous frame originates from the same transmitter by testing the IfrPS, as Eve, with significant computational resources, can deduce I K m+1 by listening to I C m and D m (see the detailed discussion in the previous subsection).

Security Property
In this subsection, we discuss the security property of the designed IfrPS, to demonstrate its ability to counter forged frame injection in MFS-based RFFA.
In MFS-based RFFA, where one forged frame is injected into valid traffic, there are two favorable cases for Eve in constructing the MFS. The first case occurs when the forged frame blends in with past valid frames, while the second case occurs when the forged frame blends in with the following valid frames. We have found that the proposed IfrPS design cannot prevent the first case, but it can effectively prevent the second case. Refer to Figure 8 for an illustrative explanation, where the marked numbers represent the frame index. In the following discussion, we analyze the security of the IfrPS design against these two cases separately. The injected frame may blend in with the following two legitimate frames for MFSbased RFFA. This can be achieved if the conveyed I C in the third frame matches the I K conveyed in the fourth frame. However, this scenario cannot be achieved, since Eve has to transmit the third frame before the fourth frame. It is important to note that, if the third frame is transmitted after the fourth frame, the receiver will discard the third frame due to the incorrect sequence number. Thus, Eve cannot obtain any knowledge about the I K conveyed in the fourth frame to crack it. In other words, Eve has no way to generate the correct I C that should conveyed by the third frame for a successful injection.
Overall, we observe that the IfrPS design can prevent the injected frame from blending in with the following valid frames in MFS-based RFFA. Therefore, we deduce that our proposed IfrPS-aided, MFS-based RFFA scheme is secure, since the receiver explores the following frames to form the MFS for each received frame.

Efficiency
Since the designed IfrPS requires a portion of transmission power to convey the unique information, the message demodulation BER will inevitably be affected. We measured the efficiency of the IfrPS design by evaluating its impact on message demodulation error. To this end, we considered the BPSK, QPSK, and 16QAM, with the constellation with IfrPS design shown in Figure 9, and performed both theoretical analysis and numerical evaluation towards these three modulation systems to assess the efficiency of the IfrPS design. With perfect channel estimation, the n-th received frame signal after channel compensation, denoted by y c n , can be expressed as where we define E s E n = by and respectively. We present both theoretical and numerical results for the message demodulation BER of IfrPS in the presence of BPSK, QPSK, and 16QAM modulations, as well as the BER of the normal signal (without IfrPS), for comparison. Figure 10 illustrates these results.
The first observation from the figure is that the theoretical and numerical results for the message demodulation BER of IfrPS exhibit a small discrepancy. This suggests that our theoretical analysis serves as a reliable predictor for the message demodulation BER of IfrPS. The second observation is that the message demodulation BER of IfrPS is only slightly higher than that of the normal signal across various signal-to-noise ratio (SNR) levels. When ρ 2 d = 0.99, the obtained BERs are nearly identical. This indicates that IfrPS introduces only a minor performance degradation in message demodulation, making it suitable for applications with stringent requirements on demodulation accuracy. The third observation is that the message demodulation BER of IfrPS is influenced by ρ 2 d , where a larger ρ 2 d results in a higher BER. This implies that we can adapt the parameter ρ 2 d to meet different requirements for message demodulation BER in practical applications. The fourth observation is that, under the same system parameters, the impact of IfrPS on the message demodulation BER varies across different modulation systems. For example, when ρ 2 d = 0.90, the equivalent SNR degradation in message demodulation is approximately 0.45 dB for BPSK, whereas it is around 2 dB for 16QAM. This suggests that the effect of IfrPS on BER is less pronounced in low-order modulation systems.
In summary, the results in Figure 10 demonstrate the effectiveness of IfrPS, as the message demodulation BER is only slightly increased when ρ 2 d is appropriately set. In the next section, we further explore the resulting accuracy gain in RFFA using the same ρ 2 d setting for IfrPS.

Effectiveness
The ability to securely construct an MFS inevitably affects the accuracy of an MFSbased RFFA scheme. Thus, we evaluate the effectiveness of the IfrPS-aided, MFS-based RFFA scheme in terms of the resultant RFFA accuracy that can be achieved. To measure the effectiveness, we define two types of error as follows: • FRR: FRR represents the ratio of valid samples that are incorrectly classified as invalid; • FAR: FAR represents the ratio of invalid samples that are incorrectly classified as valid.
Note that these two types of error affect both the processes of IfrPS detection and RFFA at the receiver side, i.e., the Equations (1) and (8). In the context of IfrPS detection, a valid sample refers to a frame signal originating from the same transmitter as the previous frames, while an invalid sample refers to a frame signal originating from a different transmitter. In the context of RFFA, a valid sample refers to a frame signal originating from Alice, while an invalid sample refers to a frame signal originating from Eve. In the following, we first analyze and evaluate these two types of error for the IfrPS detection process and then, on that basis, analyze and evaluate these for the RFFA process.

FRR and FAR in IfrPS Detection
We derived the closed-form expression of the FRR and the numerical solution of the FAR in the IfrPS detection process. Theorem 1. The FRR in IfrPS detection, denoted by P I f rPS FRR , is given by · dh 1 · dh 2 and the FAR of IfrPS, denoted by P I f rPS FAR , is given by Proof. For two consecutively received frame signals originating from the same transmitter, let us denote the channel fading coefficient of the first frame signal by h 1 and that of the second frame by signal h 2 . We can express the probability that the unique information attached into these two frames are accurately demodulated by and respectively. Then, by integrating P correct,1 and P correct,1 , we can obtain the probability that these two frames signal match with the demodulated unique information by Substituting P I f rPS FRR = 1 − P match,1,2 into Equation (17), we can prove Theorem 1.
We plot the theoretical and numerical results of the FRR and FAR in IfrPS detection process in Figure 11. The first observation is that the theoretical results match the numerical results well, which indicates that our theoretical expressions can be used to predict the performance. The second observation is that the resultant FRR and FAR perform a trade-off relationship over N and L. This indicates that, in practical applications, the values of N and L need to be optimized to achieve the required FRR and FAR levels. The third observation is that the resultant FRR and FAR can be refined with a larger E s /E n and a smaller ρ 2 d . This indicates that, for a communication with larger SNR and tolerance on message demodulation degradation, we can always obtain better performance in IfrPS detection. Furthermore, to provide a visual presentation of the IfrPS detection performance, we calculate the expected sequence length of the detected MFS, denoted by M. Note that the calculation can be expressed by Additionally, we plot the results in Figure 12. The first observation is that the expected sequence length increases over E s /E n and decreases over ρ 2 d . This is easy to understand, since we have demonstrated above that the IfrPS detection performance is positive in relation to E s /E n and negative to ρ 2 d . The second observation is that, for different levels of FAR in IfrPS detection, the obtained M has quite a significant value. For instance, when the FAR is fixed at 0.0001, i.e., the attacker can only compromise the IfrPS detection with the probability of 0.0001, the obtained M is more than 10 when N = 2000 and ρ 2 d = 0.90. Since such parameters are easy to satisfy in practical applications, whereas the corresponding parameter (ρ 2 d = 0.90) results in only about 2 dB degradation to message demodulation, the results in Figure 12 demonstrate the potential of enhancing the RFFA by adopting the IfrPS design and using the MFS-based approach.

FRR and FAR in RFFA
To quantify the FRR and FAR in RFFA, we used the CFO as the authentication feature as a case study. Following [28,29], we know that the CFO estimates follow the Gaussian distribution N , 1 4π 2 L 3 s (N s −1)γ , where represents the expectation of CFO estimate, γ represents the received SNR, and L s and N s are two parameters in CFO estimation following L s · N s = N. In this study, we fixed L s = 2 and calculated N s by N s = N/L s . Moreover, we can deduce that the averaged CFO estimate with M frames follows the distribution N 0, 1 4π 2 L 3 s (N s −1)γ , whereγ = 1 M · M m=1 γ m . We consider that the CFO of the randomly selected attacker follows the uniform distribution U (0, R), where R denotes the allowable CFO range, which we set to be 0.02π [28]. Thus, we can express the FAR in RFFA by for the SFS-based RFFA, and by (20) for the MFS-based RFFA.
where P I f rPS FRR is given in Theorem 1, and P FRR (m) follows To prove the above theorem, we illustrate, in Figure 13, both the theoretical and numerical FRR in RFFA, where we fix N = 2000, L = 100, and ρ 2 d = 0.95. It can be observed from Figure 13 that the theoretical results of FRR in RFFA match the numerical results well. This indicates that our theoretical result can be used for predicting the FRR in IfrPS-aided, MFS-based RFFA. From Equations (19) and (20), we know that using a smaller threshold in IfrPS-aided, MFS-based RFFA system can achieve the same FAR as that using a smaller threshold in the SFS-based RFFA system, which indicates that we need to use a smaller threshold to ensure a smaller FRR at the same FAR level in RFFA through the IfrPS-aided, MFS-based one than the SFS-based one. Lemma 1. To ensure the same FAR level of RFFA in the IfrPS-aided, MFS-based RFFA as that in the SFS-based one, and minimize the achieved FRR, the transmitter needs to optimize L.
To prove the feasibility of using the above method for optimizing L and, thus, to reduce the FRR under the same FAR levels, we illustrate in Figure 14 the obtained FRR by searching the optimal L. Note that the optimal L is numerically searched using the FRR and FAR expressions in Equations (20) and (21). The first observation from Figure 14 is that the searched L is the optimal one since it leads to the minimal FRR for both the theoretical and numerical results. The second observation is that the relationship between FRR and L is the convex function and, thus, we can always search the optimal L.
Finally, in oder to demonstrate the FRR gain in IfrPS-aided, MFS-based RFFA over the MFS-based RFFA, we illustrate the numerical results under different levels of FAR in Figure 15. The first observation from Figure 15 is that we can always achieve a positive FRR gain. Furthermore, the FRR gain increases with a smaller ρ 2 d . The second observation from Figure 15 is that equivalent SNR gain is mainly related to ρ 2 s rather than N. This is because using a larger N requires a larger L to ensure the FAR level, which inevitably limits the improvement in RFFA achieved by a larger N. The third observation from Figure 15 is that the equivalent SNR gain is about 5 dB when ρ 2 d = 0.90, N = 1500, and E s /E n = 20 dB. Note that the corresponding equivalent SNR degradation to message demodulation is only 2 dB for 16QAM, 1 dB for QPSK, and 0.5 dB for BPSk. This demonstrates the effectiveness of the proposed IfrPS-aided, MFS-based RFFA scheme in securely improving the RFFA accuracy.

Conclusions
In this paper, we have identified a security threat associated with the MFS-based RFFA in CSMA/CA. To counter this security threat, we propose an IfrPS-aided, MFS-based RFFA scheme. We conducted a comprehensive study to evaluate the security, efficiency, and effectiveness of the proposed scheme and conducted simulations to evaluate its performance. We note that the proposed scheme can counter the identified security threat with no pre-shared key required between the transceiver, and can be applied to various communication systems while only causing minor impact on message demodulation. Overall, our contributions advance the field of RFFA techniques by, for the first time, highlighting a new but critical viewpoint of the security threat when utilizing a multi-frame signal for RFFA in the CSMA/CA system. Additionally, we provide a foundation for further research and development in this area to securely utilize the multi-frame signal in RFFA in the CSMA/CA system without requirements for pre-shared keys.